Patch DNS Servers Faster

51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.

Re:Switch DNS Servers, NOT ISPs

[A beautiful mind]

I digress. If an ISP didn't patch yet, it means they are incompetent. When the Debian SSL vulnerability was discovered, I sent two emails out, one to my server hosting company and one to my phone company. The server hosting company replaced their ssl cert within a day, the phone company took 4 months, meanwhile their online user gateway was open to sniffing.

I ditched the phone company when my email didn't get a reply in a week.

DNS became slower

[sucker_muts]

Here in Belgium, I use Scarlet as my ISP.

It seems that dns queries have become much slower. With opera I can see what urls are being requested (main page, images/flash or ads).I can see that for every new page the first thing opera does is doing the dns queries for all the urls. And this has become very slow from time to time.

I've read somewhere that the randomization really slows down bind, but that the team is working on a patch to solve that.
(I also don't understand why opera need to execute dns queries every time I click a link, why can't opera have a tiny cache for the ip addresses? They don't chance that often, do they? I'm not very paranoid about the security implication, either.)

AT&T Southeast way behind the curve

[BDaniels]

We use AT&T (formerly Bellsouth) and their servers are not fixed according to the 'dig +short porttest.dns-oarc.net TXT' test.
I contacted their NOC about the problem yesterday and got the following reply:

"Patching for these servers are scheduled to begin next week."

So, major vulnerability, two weeks advance notice, exploit code released - we'll get around to it later.

Re:Switch DNS Servers, NOT ISPs

[Anonymous Coward]

I had been using OpenDNS. I stopped when I realized they were monitoring my traffic. When I go to Google, they were returning their own Google-like page, to which my browser would submit the query, and then redirect me to Google.

I stopped using them after that discovery.

Easier Said Than Done

[foo fighter]

These kind of systems are really hard for security guys to get changed.

It's like updating switch and routing firmware. Most network engineers who know what they're doing and that have been around for awhile have been burned by "simple" or "easy" patches and config changes going tits up.

When your core network infrastructure goes tits up your phone tends to light up like a christmas tree. (Granted, when your web presence is redirected to porn or a copy that hides an iframe exploiting customers with unpatched browsers, well, you'll maybe get some phone calls.)

This DNS patch is a case-in-point: Microsoft's fix is rather ham-fisted and broke stuff; the BIND-Users list is full of people troubleshooting ISC's patch.

Also, many organizations (like mine) are taking this as an opportunity to reengineer their DNS architecture. This is the perfect time to reevaluate using TSIG and DNSSEC if you don't already.

It has only been just over two weeks since the initial "announcement". The progress so far is really amazing when you consider how big a ship the Internet is.

Re:Switch DNS Servers, NOT ISPs

[Woy]

I used OpenDNS and gave it up because it replaced firefox's feature to search google with what you type on the address bar with its own crappy search.

Re:DNS became slower

[Lennie]

If it has become slower, they are probably using bind9, because it's quick fix. After they've known for 6 months, all they could release was a quick fix. Even though the author/organsation that created/maintainces bind knew about possible problems somewhere in the preview century. I'm sorry, but I've stopped using their software as much as possible.

OpenSuSe 10.2 RPMs miss the point?

[the_olo]

I have an OpenSuSe 10.2 x86_64 machine and have manually upgrade-installed the x86_64 RPMs from the security announcement (http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00003.html [opensuse.org]). Yast2 has some problems due to this release being old and mirrors not available so I did a manual "rpm -Uhv".

Still, from a traffic dump it seems that on SuSe 10.2 the caching Bind nameserver sends out queries with predictable source ports (incrementing by 1).

Fedora's patched Bind sends from random ports (didn't run statistical randomness test on them, though).